API GOVERNANCE: A VITAL BUILDING BLOCK FOR API SECURITY

IT governance is hard. Corporate governance is hard. In an older context, SOA governance was hard — if an organization attempted to do that at all. By extension, API governance is hard.

But that effort is necessary if your IT department is going to be well governed and well managed. With API governance, you improve API management and take a key step forward to achieving a comprehensive API security strategy.

The nature of API governanceAt the time of this writing, I’ve been in around 40 corporate IT shops on four continents. In most of these shops, there were many opportunities to improve API governance (and governance in general).

In the previous decade, the failure of Service Oriented Architecture (SOA) in most contexts was a failure of governance. One lesson learned from SOA that API management was built upon is the importance and need for a focus on governance. Thus, we have API governance as a central tenet of API management.

API governance addresses:

tracking the lifecycle of each API from inception to sun setting (more below)

tracking the API consumers and subscriptions (relationships) to APIs

the API security model employed and the details of managing it

defining the API interface standards used for creating and publishing APIs (an organization’s standards for usage of something like Swagger) in the organization

gathering statistics on both the developer portal and API gateway usage

utilization-based billing

API versioning

JSON (or XML) schema versioning for input and output data structures

tracking of routing information to the backend

And it doesn’t exist in a vacuum. API governance must tie into change management, asset management, configuration management and legacy SOA governance (with the goal of eventually replacing it) — so that you have a holistic API management program that works for the people, processes and technology in your enterprise.

How API governance ties into API securityAPI governance isn’t just an important component of API management; it is critically important to API security as well. If your organization hasn’t put the effort into the governance aspects of API management, that will show up in other areas including API security.

In the world of AI and machine learning-based API security products, such as PingIntelligence, API governance is important because it allows for avoiding duplication of APIs and facilitates the creation of reusable APIs (reusable across multiple applications, application types and user types).

This minimizes the “surface area” of APIs that must be analyzed for anomalies and maximizes the traffic that passes through the reusable APIs. These factors facilitate optimal conditions for training solutions that use machine learning to build a baseline for expected behavior on each API in order to understand what is normal and detect anomalies. In the absence of effective API governance that achieves these characteristics, you will not be efficiently managing your organization’s API resources and will not fully realize the benefits of these solutions.

Keep in mind, however, that if your organization is one that:

has numerous APIs with duplicate functionality

has APIs that are called by only a single API Consumer

has low traffic volume against its APIs

then you’re likely to have frustrating results when training an API cybersecurity solution that uses machine learning to detect anomalous behavior. Those first two can be addressed with effective API governance. (The last one isn’t a function of a lack of governance; that issue is for another post.)

The payoffs of API governanceAs I stated at the beginning of this blog post, API governance is hard, so most shops treat it as a checkbox and maybe pay some lip service to it. But API management and IT governance are like anything else in life: You get out of it what you put into it.

Ninety percent of the effort in deploying an API management solution is the governance, process, security and organizational politics — and of course, the same is true of any IT effort. The technology is the easy part and in the day-to-day pressure of getting things done, it is tempting to just deploy the technology with the minimal effort needed to make the technology work. But in the long run, your organization will realize far more if the hard work is done up front.